Dropbox users' email addresses targeted by spam? (opens in new tab)

(forums.dropbox.com)

71 pointsXymak1y13y ago27 comments

edit: I updated the title to more specifically address the issue.

27 comments

26 comments · 10 top-level

justauser13y ago· 5 in thread

But this doesn't mean anything though right since all encryption happens clientside right? Oh...wrong service. This is Dropbox so they have the key on their end.

awayand13y ago

makes it hard to deduplicate encrypted data maybe?

AndrewDucker13y ago

And also to share files with other people, or access them via the website.

gst13y ago

Wuala can deduplicate encrypted data. The encryption is a little bit weaker than standard encryption (because you can tell if two users are hosting the same file), but it's not possible to determine a file's content from the cipher text (if the file is unique).

ceejayoz13y ago

Good opportunity for a paid level of service. Client-side encryption for $X extra per year, to make up for the extra storage used.

justauser13y ago

Explain that to users AND businesses who trust Dropbox with sensitive information.

1 more reply

floatingatoll13y ago· 4 in thread

If the user's computer is compromised, a simple SQLite query run against the Dropbox configuration database would reveal all Dropbox email addresses in use by that user.

If the user's email is compromised, the Dropbox confirmation email would be easy to locate and harvest, either from their mailbox, or their mail hosting provider's delivery logs.

(Usually, however, malware simply scans for all incoming email addresses, and then reports them to a central authority for later spamming.)

EDIT: As pointed out elsewhere in this thread, the email address <dropbox@yourdomain> is trivially guessable by dictionary spam attacks.

There are many routes to this information leaking. It is not at all apparent whether it's Dropbox yet.

Given that Dropbox security is actively responding in the linked forum, it seems as though this HN post - submitted by one of the users posting in that thread as "affected" - is solely to create "buzz", rather than to share news with Hacker News.

tlrobinson13y ago

All signs point to Dropbox (or a 3rd party app linked to Dropbox) as the source of the leak:

* Multiple users with email addresses unique to their Dropbox account are reporting spam. It's unlikely these individuals' computers or email accounts were all compromised at the same time.

* These same users aren't reporting spam on their other unique addresses or catchall accounts. Some of them are non-trivial addresses that would be hard to guess. It's unlikely to be a bot guessing email addresses.

Xymak1yOP13y ago

As pointed out by users in the forum post, the compromised e-mail addresses have been used not on just one Dropbox account but several. Additionally those e-mail addresses were not just trivial guesses like dropbox1@domain.com or dropbox2@domain.com, or at least they were for me.

Maybe I'm missing something here, but where else could a non-guessable e-mail address which was never used anywhere else been leaked from if not Dropbox itself?

floatingatoll13y ago

Offhand, it could be leaked from your hard drive or any backup thereof, from email stored on any of your desktop or mobile devices, or from your email provider's mail stores or mail logs. There's probably other ways too.

EDIT: Apps. Any app you've ever authorized to use your Dropbox account could have leaked the email address - for instance, via plaintext logs, or malicious behavior, or well-intended but stupid behavior - by writing the email address in plaintext to disk, or uploading it to a remote server and then losing control of it there.

bradleyland13y ago

Through a compromised system. As noted above, and in many other places, there are many attacks that focus on harvesting email addresses. Until the exploit is verified, you cannot say for a fact that the disclosure is Dropbox's fault, you can only say that it is a probable source.

dr_faustus13y ago· 2 in thread

Just searched in my Spam folder for the email address I only use for Dropbox et voilà: I got the spam messages mentioned. After the password-gate last year (http://blog.dropbox.com/index.php/yesterdays-authentication-...) this is the second major security breach by a company I (and many people I know) have a lot of data entrusted to... This really sucks!

Whats even worse: The first reports came in (from users!) over one day ago and the forum thread seems to indicate that they still have no clue what happend!

[Update] One possibility might be, that dropbox is not the culprit after all but that the spammers started to realize that people use those service-specific addresses more and more and they just send out emails to [some-service-name]@[some-domain]. At least my address is dropbox@[mydomain].

So lets hope for that...

thoughtsimple13y ago

Any response from Dropbox yet on this?

Given their previous problems, you would think they would be on top of this immediately.

frossie13y ago

Page 2 of the OP, highlighted comment, quote:

"Hi all,

We are actively investigating your reports. If you have any additional information, please email security@dropbox.com, and we’ll be sure to follow up

Joe"

adanto684013y ago· 2 in thread

I use a specific "MYNAME-dropbox@MYDOMAIN.com" email address for Dropbox and I can confirm that my Dropbox-specific address has NOT received any SPAM messages.

The only messages that have ever been sent to that specific address are from Dropbox themselves...

moepstar13y ago

My generic @gmail.com email address has yet to receive any casino specific spam either - and i'm from .de so it seems it has been guesswork on the part of the spammers?

moepstar13y ago

Ok, to reply to myself there really seems something wrong with Dropbox...

The email-address i signed up with and the one that is attached to my account is @gmail.com

However, i've recently invited 2 people with my personal @gmx.de email (using the iPhone app) and guess what...

I've got Euro Dice spam in my spamfolder there :(

bradleyland13y ago· 1 in thread

While it appears plausible (likely, even) that Dropbox is the source of the disclosure, it's not verifiable as fact until someone identifies the method used to obtain the email addresses. This makes the title inappropriate.

Malware frequently targets address books and browser forms as a means of harvesting email addresses. Not saying that it can't be Dropbox, and I'm not saying that it's even unlikely, but years of troubleshooting have taught me not to name the root cause until I can verify it myself. This is even more true when you're putting someone else's reputation on the line.

wlesieutre13y ago

It also often targets specific applications to steal credentials from. I know there have been badwares that harvest saved Steam account names and passwords (hopefully they're stored more securely now, but who knows?), and the same could be true for Dropbox email addresses.

The address book scenario or dropbox breach both seem more likely, but it's worth keeping in mind.

ecaron13y ago· 1 in thread

I don't see any confirmation in the forum that the "e-mail addresses of users" was leaked by Dropbox. It also appears to be mainly Euro-centric accounts. So while there is certainly a problem and it is very likely originating with Dropbox, the title is quite misleading and overly condemning given the known facts.

Xymak1yOP13y ago

I've been personally affected by this leak. All the e-mail addresses that I am now receiving spam on have only been used for Dropbox purposes and nothing else. In addition this was over a year ago. So - email only used for dropbox, last transferred over the web a year ago: where else would it have been leaked from?

// I did change the title to not mislead readers.

dhyasama13y ago· 1 in thread

My favorite part of the support forum is the suggestion to submit a ticket and it will "usually" be addressed in 1-3 days.

antoko13y ago

to be fair that wasn't a post by dropbox staff just a random user.

joealba13y ago

A quick browse through my domain's catchall spam folder shows an e-mail addressed to techdirt@mypersonaldomain. I don't have a techdirt account -- nor have ever used this e-mail address anywhere. Yes, spam bots make guesses, folks.

The Internet would be a better place if people would stop, take a deep breath and think before they type.

Good idea: Let the dropbox folks know that you received spam to a custom address tied to their service and let them look into it, whether it be a directed spam campaign or a possible leak.

Bad idea: "OMG!!1! Dropbox is pwn3d! Admit it! Apologize for your wrongs!"

gingerlime13y ago

I've had the same issue with box.net a few weeks/months ago. I only signed up for their service and never really used it, and I used a one-off email address that is randomly generated and used only for the service. I do this regularly now. With each service I subscribe to, I first of generate a unique random email address, so if I start to get spam, I can either block this address only, or at least know where it was leaked...

TomGullen13y ago

Here's one way to get people's email addresses. For what it's worth, I emailed DropBox about this a long time ago (months ago) and didn't even get a reply to my email!

If you use your DropBox referal code, on this page:

https://www.dropbox.com/account/bonus

You will see a list of peoples email addresses that clicked the link and signed up. Unbeknownst to them you have their email addresses.

We have hundreds of these email addresses in our account as we have been promoting DropBox on our website for a long time. The referral status page also shows information about how far through the install they are, when they signed up etc.

This is bad because it makes phishing quite easy.

Perhaps not the source of the spam, but nonetheless still a bad execution in my opinion.

1 more reply

j / k navigate · click thread line to collapse

27 comments

26 comments · 10 top-level

justauser13y ago· 5 in thread

But this doesn't mean anything though right since all encryption happens clientside right? Oh...wrong service. This is Dropbox so they have the key on their end.

awayand13y ago

makes it hard to deduplicate encrypted data maybe?

AndrewDucker13y ago

And also to share files with other people, or access them via the website.

gst13y ago

ceejayoz13y ago

Good opportunity for a paid level of service. Client-side encryption for $X extra per year, to make up for the extra storage used.

justauser13y ago

Explain that to users AND businesses who trust Dropbox with sensitive information.

1 more reply

floatingatoll13y ago· 4 in thread

If the user's computer is compromised, a simple SQLite query run against the Dropbox configuration database would reveal all Dropbox email addresses in use by that user.

If the user's email is compromised, the Dropbox confirmation email would be easy to locate and harvest, either from their mailbox, or their mail hosting provider's delivery logs.

(Usually, however, malware simply scans for all incoming email addresses, and then reports them to a central authority for later spamming.)

EDIT: As pointed out elsewhere in this thread, the email address <dropbox@yourdomain> is trivially guessable by dictionary spam attacks.

There are many routes to this information leaking. It is not at all apparent whether it's Dropbox yet.

tlrobinson13y ago

All signs point to Dropbox (or a 3rd party app linked to Dropbox) as the source of the leak:

* Multiple users with email addresses unique to their Dropbox account are reporting spam. It's unlikely these individuals' computers or email accounts were all compromised at the same time.

Xymak1yOP13y ago

Maybe I'm missing something here, but where else could a non-guessable e-mail address which was never used anywhere else been leaked from if not Dropbox itself?

floatingatoll13y ago

bradleyland13y ago

dr_faustus13y ago· 2 in thread

Whats even worse: The first reports came in (from users!) over one day ago and the forum thread seems to indicate that they still have no clue what happend!

So lets hope for that...

thoughtsimple13y ago

Any response from Dropbox yet on this?

Given their previous problems, you would think they would be on top of this immediately.

frossie13y ago

Page 2 of the OP, highlighted comment, quote:

"Hi all,

We are actively investigating your reports. If you have any additional information, please email security@dropbox.com, and we’ll be sure to follow up

Joe"

adanto684013y ago· 2 in thread

I use a specific "MYNAME-dropbox@MYDOMAIN.com" email address for Dropbox and I can confirm that my Dropbox-specific address has NOT received any SPAM messages.

The only messages that have ever been sent to that specific address are from Dropbox themselves...

moepstar13y ago

My generic @gmail.com email address has yet to receive any casino specific spam either - and i'm from .de so it seems it has been guesswork on the part of the spammers?

moepstar13y ago

Ok, to reply to myself there really seems something wrong with Dropbox...

The email-address i signed up with and the one that is attached to my account is @gmail.com

However, i've recently invited 2 people with my personal @gmx.de email (using the iPhone app) and guess what...

I've got Euro Dice spam in my spamfolder there :(

bradleyland13y ago· 1 in thread

wlesieutre13y ago

The address book scenario or dropbox breach both seem more likely, but it's worth keeping in mind.

ecaron13y ago· 1 in thread

Xymak1yOP13y ago

// I did change the title to not mislead readers.

dhyasama13y ago· 1 in thread

My favorite part of the support forum is the suggestion to submit a ticket and it will "usually" be addressed in 1-3 days.

antoko13y ago

to be fair that wasn't a post by dropbox staff just a random user.

joealba13y ago

The Internet would be a better place if people would stop, take a deep breath and think before they type.

Good idea: Let the dropbox folks know that you received spam to a custom address tied to their service and let them look into it, whether it be a directed spam campaign or a possible leak.

Bad idea: "OMG!!1! Dropbox is pwn3d! Admit it! Apologize for your wrongs!"

gingerlime13y ago

TomGullen13y ago

Here's one way to get people's email addresses. For what it's worth, I emailed DropBox about this a long time ago (months ago) and didn't even get a reply to my email!

If you use your DropBox referal code, on this page:

https://www.dropbox.com/account/bonus

You will see a list of peoples email addresses that clicked the link and signed up. Unbeknownst to them you have their email addresses.

This is bad because it makes phishing quite easy.

Perhaps not the source of the spam, but nonetheless still a bad execution in my opinion.

1 more reply

j / k navigate · click thread line to collapse